9.3
CVE-2025-34102 - CryptoLog Unauthenticated RCE via SQL Injection and Command Injection
A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command injection vulnerabilities. An unauthenticated attacker can gain shell access as the web server user by first exploiting a SQL injection flaw inโฆ
9.3
CVE-2025-34096 - Easy File Sharing HTTP Server 7.2 Buffer Overflow via POST to /sendemail.ghp
A stack-based buffer overflow vulnerability exists in Easy File Sharing HTTP Server version 7.2. The flaw is triggered when a crafted POST request is sent to the /sendemail.ghp endpoint containing an overly long Email parameter. The application fails to properly validate the length of this field, rโฆ
9.3
CVE-2025-34095 - Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp
An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on โฆ
7.5
CVE-2025-53506 - Apache Tomcat: DoS via excessive h2 streams at connection start
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 โฆ
7.5
CVE-2025-34093 - Polycom HDX Series Telnet Command Injection via lan traceroute
An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters tโฆ
8.6
CVE-2025-34097 - ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE
An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the pluginโs install() โฆ
7.1
CVE-2025-34098 - Riverbed SteelHead VCX Authenticated Arbitrary File Read via Log Filter Injection
A path traversal vulnerability exists in Riverbed SteelHead VCXย appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering functionality exposed via the management web interface. An authenticated attacker can exploit this flaw by submitting crafted filter expressโฆ
9.3
CVE-2025-34101 - Serviio Media Server Unauthenticated Command Injection via checkStreamUrl VIDEO Parameter
An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to โฆ
9.3
CVE-2025-34099 - VICIdial vicidial_sales_viewer.php Unauthenticated Command Injection via Basic Auth Password
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directlโฆ
6.9
CVE-2025-7021 - OpenAI Operator - API Spoofing through Locking Operator on FullScreen
Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser โฆ